Configure AEM so that a replication agent on the author instance uses mutual SSL (MSSL) to connect with the publish instance. Using MSSL, the replication agent and the HTTP service on the publish instance use certificates to authenticate each other.

Configuring MSSL for replication involves performing the following steps:

Create or obtain private keys and certificates for the author and publish instances.

Install the keys and certificates on the author and publish instances:

Author: Author's private key and Publish's certificate.

Pubish: Publish's private key and Author's certificate. The certificate is associated with the user account that is authenticated with the replication agent.

Configure the Jetty-Based HTTP Service on the Publish instance.

Configure the transport and SSL properties of the replication agent.

You must determine which user account is performing the replication. When installing the trusted author certificate on the publish instance, the certificate is associated with this user account.

Obtaining or Creating Credentials for MSSL

You require a private key and public certificate for the author and publish instances:

Private keys must be contained in pkcs#12 or JKS format.

Certificates must be contained in pkcs#12 or JKS format. Additionally certificate contained in "CER" format can also be added to Granite Truststore.

Certificates can be self-signed or signed by a recognized CA.

JKS Format

Generate a private key and a certificate in JKS format. The private key is stored in a KeyStore file, and the certificate is stored in a TrustStore file. Use Java keytool to create both.

Perform the following steps using Java keytool to create the private key and the credential:

Generate a private-public key pair in a KeyStore.

Create or obtain the certificate:

Self-signed: Export the certificate from the KeyStore.

CA-signed: Generate a certificate request and send it to the CA.

Import the certificate into a TrustStore.

Use the following procedure to create a private key and a self-signed certificate for both the author and publish instances. Use different values for command options accordingly.

Open a command-line window or terminal. To create the private-public key pair, enter the following command, using option values from the table below:

pkcs#12 Format

Generate a private key and a certificate in pkcs#12 format. Use openSSL to generate them. Use the following procedure to generate a private key and a certificate request. To obtain the certificate, either sign the request with your private key (self-signed certificate) or send the request to a CA. Then, generate the pkcs#12 archive that contains the private key and the certificate.

Open a command-line window or terminal. To create the private key, enter the following command, using option values from the table below:

openssl genrsa -out keyname.key 2048

Option

Author

Publish

-out

author.key

publish.key

To generate a certificate request, enter the following command, using option values from the table below:

openssl req -new -key keyname.key -out key_request.csr

Option

Author

Publish

-key

author.key

publish.key

-out

author_request.csr

publish_request.csr

Either sign the certificate request or send the request to a CA.

To sign the certificate request, enter the following command, using option values from the table below:

Configure the HTTP Service on Publish

Configure the properties of the Apache Felix Jetty Based HTTP Service on the publish instance so that it uses HTTPS while accessing Granite Keystore. The PID of the service is org.apache.felix.http.

The following table lists the OSGi properties that you need to configure whether you are using the Web Console.

Property Name on Web Console

OSGi Property Name

Value

Enable HTTPS

org.apache.felix.https.enable

true

Enable HTTPS To Use Granite KeyStore

org.apache.felix.https.use.granite.keystore

true

HTTPS Port

org.osgi.service.http.port.secure

8443 (or other desired port)

Client Certificate

org.apache.felix.https.clientcertificate

"Client Certificate Wanted"

Configure the Replication Agent on Author

Configure the replication agent on the author instance to use the HTTPS protocol when connecting to the publish instance. For complete information about configuring replication agents see Configuring Your Replication Agents.

To enable MSSL, configure the properties on the Transport tab according to the following table:

Property

Value

URI

https://server_name:SSL_port/bin/receive?sling:authRequestLogin=1

For example:

https://localhost:8443/bin/receive?sling:authRequestLogin=1

User

No value

Password

No value

SSL

Client Auth

After you configure the replication agent, test the connection to determine whether MSSL is configured correctly.